Your Android phone can now double as a security key

An extra layer of security never hurt anybody, and now you can turn your phone into a physical security key

Google has announced that any smartphone running Android 7.0 (Nougat) or later can now be used as a hardware security key for two-factor authentication (2FA).

Available in beta at the moment, the new feature is intended to provide an additional authentication factor and keep Google account users safe from phishing scams and other attacks that attempt to steal people’s login credentials. It can be used to protect your personal Google accounts, as well as Google Cloud Accounts at work.

There are a few basic requirements for using your smartphone as a FIDO2-based security key beyond running Android 7.0 or newer. For one thing, your phone will need to have both Bluetooth and location services enabled. Additionally, you will need to have a Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer and use Google Chrome.

To turn on the new feature, you will need to add your Google account to your phone, ensure you’re enrolled in two-step verification/2SV (Google’s term for 2FA), click the ‘Add security key’ option in your 2SV settings and pick the relevant smartphone. Google also provides a detailed how-to guide for the setup process.

Source: blog.google.com

The extra factor

Two-factor authentication is a highly valuable way to add an extra layer of security to online accounts on top of your password – and with minimal fuss at that. The bottom line is that even if cybercriminals steal your password they will still not be able to access your account unless they also possess the second factor.

There are several 2FA methods, but hardware-based solutions are generally seen as superior in terms of security to other methods, especially compared to the most common one that relies on text messages. (Make no mistake, however, even SMS-based 2FA is still far better than nothing.)

Google launched its own hardware security key last year and revealed that security tokens had essentially done away with the problem of phishing attacks against its employees. Having said that, chances are you may not want to spend anywhere between US$20-60 on a security key, be it Google’s own or one made by firms such as Yubico and Feitian Technology. Which is where your Android smartphone may come into play.